[Poppler-bugs] [Bug 30228] New: poppler: use of uninitialized DCTScanInfo dcHuffTable / acHuffTable values
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Sep 16 06:50:31 PDT 2010
https://bugs.freedesktop.org/show_bug.cgi?id=30228
Summary: poppler: use of uninitialized DCTScanInfo dcHuffTable
/ acHuffTable values
Product: poppler
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: thoger at redhat.com
Due to the way DCTStream::readScanInfo tries to work around problems with some
broken DCT streams, it can leave certain scanInfo.dcHuffTable /
scanInfo.acHuffTable values uninitialized. These values are later used as
indices to DCTStream's dcHuffTables / acHuffTables arrays. Bogus values cause
out-of-bounds array access, resulting in invalid DCTHuffTable pointer being
passed to DCTStream::readHuffSym, which can lead to crash.
A fix may ensure that all scanInfo.dcHuffTable / scanInfo.acHuffTable members
are initialized to a safe value (e.g. 0) early in DCTStream::readScanInfo (this
may not be perfect fix, but may be more corrupted-file friendly), or add an
extra check near the end of DCTStream::readScanInfo verifying that all values
are in range. Upper bound can be either sizeof([ad]cHuffTables), or
num[AD]CHuffTables. Looking at the DCTStream::readHeader, there does not seem
to be a guarantee that DCTStream::readHuffmanTables is called before
DCTStream::readScanInfo, but it should not be called after.
Note: I do understand this is in the #ifndef ENABLE_LIBJPEG, so not too likely
to be used in current poppler builds. Feel free to wontfix if the code is
considered dead.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list